<div dir="ltr">Justin,<div><br></div><div>I'm sure I could play around with those parameters a bit but don't want to open us up to any sort of actual DOS attack.</div><div><br></div><div>I sent it over to <a href="mailto:cefeedback@cisco.com">cefeedback@cisco.com</a> which is handling support during the feature preview until TAC takes over. They said that it's an issue with the 8800 series firmware where the endpoint gets stuck in a loop sending repeated authentication attempts.</div><div><br></div><div>I was able to view these requests at https://<expressway-c>/edgestatushttpproxyrequests and confirmed we're getting a few per second per endpoint.</div><div><br></div><div>They're currently working on an ES for the 8800 series to resolve this issue. I'll test it once I get my hands on it and report back.</div><div><br></div><div>Thanks,</div><div>Brian</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 15, 2015 at 3:04 PM, Justin Steinberg <span dir="ltr"><<a href="mailto:jsteinberg@gmail.com" target="_blank">jsteinberg@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">There are some settings on the Expressway regarding the number of auth attempts, etc. have you tried to increase those to see if that makes any difference ?</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 15, 2015 at 10:45 AM, Ryan Huff <span dir="ltr"><<a href="mailto:ryanhuff@outlook.com" target="_blank">ryanhuff@outlook.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">I'll hav to sift through my logs and see if that is what my issue was. Thanks for the follow through Brian.<br><br>Thanks,<br><br>Ryan<br><br><div><hr>Date: Tue, 15 Sep 2015 10:40:24 -0400<span class=""><span><br>Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection<br></span></span>From: <a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a><br>To: <a href="mailto:kevinp@advancedtsg.com" target="_blank">kevinp@advancedtsg.com</a><br>CC: <a href="mailto:ryanhuff@outlook.com" target="_blank">ryanhuff@outlook.com</a>; <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><div><div class="h5"><div><div><br><br><div dir="ltr">We're actually on 8.6.1.<div><br></div><div>I dug through the logs a bit more and found the same user also had an 8800 series phone logged in via MRA. Doing some further searching, I found someone who had the same issue logging into Jabber with an 8841 already logged in via MRA.</div><div><br></div><div>I had the user unplug their 8841 and they were able to login to Jabber fine after this.</div><div><br></div><div>It looks like I'll be reaching out to the feature preview folks to make sure they know about this issue.</div><div><br></div><div>Brian</div></div><div><br><div>On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski <span dir="ltr"><<a href="mailto:kevinp@advancedtsg.com" target="_blank">kevinp@advancedtsg.com</a>></span> wrote:<br><blockquote style="border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US">
<div>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I almost upgraded our VCS servers to 8.6 last week and noticed a couple reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days.<u></u><u></u></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p><img src="cid:image001.png@01D0EF8E.A89E1030" height="460" width="1023"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Ryan Huff<br>
<b>Sent:</b> Monday, September 14, 2015 4:00 PM<br>
<b>To:</b> <a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>; <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection<u></u><u></u></span></p>
<p><u></u> <u></u></p>
Brian .... I had this issue this weekend in 8.6. My original issue was the "no home uds cluster" but I had issues with the proxy protocol violation.<u></u><u></u><br>
Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back to 8.5<u></u><u></u><br>
Thanks,<u></u><u></u><br>
Ryan<u></u><u></u><br><div><div>
<p><br>
<br>
-------- Original Message --------<br>
From: Brian Meade <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>><br>
Sent: Monday, September 14, 2015 03:49 PM<br>
To: <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection<u></u><u></u></p>
<div>
<p>Is anyone else having issues with the "HTTP proxy protocol violation" automated detection feature or Expressway?<u></u><u></u></p>
<div>
<p><u></u> <u></u></p>
</div>
<div>
<p>I've got over 10,000 hits on this built-in rule and it seems to be blocking some legitimate logins via Jabber.<u></u><u></u></p>
</div>
<div>
<p><u></u> <u></u></p>
</div>
<div>
<p>It looks like this in the event log:<u></u><u></u></p>
</div>
<div>
<div>
<p>2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09"<u></u><u></u></p>
</div>
<div>
<p>2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" <u></u><u></u></p>
</div>
</div>
<div>
<p><u></u> <u></u></p>
</div>
<div>
<p>It looks like this in the Jabber log:<u></u><u></u></p>
</div>
<div>
<div>
<p>2015-09-11 17:09:15,746 INFO [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] [csf::http::executeImpl] - *-----* HTTP response code 0 for request #2 to
<a href="https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin" target="_blank">
https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin</a><u></u><u></u></p>
</div>
<div>
<p>2015-09-11 17:09:15,746 ERROR [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] [csf::http::executeImpl] - There was an issue performing the call to curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR<u></u><u></u></p>
</div>
</div>
<div>
<p><u></u> <u></u></p>
</div>
<div>
<p>It looks like this in the detailed expressway logging:<u></u><u></u></p>
</div>
<div>
<div>
<p>2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" Event="System Configuration Changed" Node="<a href="mailto:clusterdb@127.0.0.1" target="_blank">clusterdb@127.0.0.1</a>" PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid
12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - changed from: 202411 to: 202416"<u></u><u></u></p>
</div>
</div>
<div>
<p><u></u> <u></u></p>
</div>
<div>
<p><u></u> <u></u></p>
</div>
<div>
<p>Anyone else seeing issues like this? This particular user also has an 8841 at home. Is there a limit to number of MRA connections behind a single public IP?<u></u><u></u></p>
</div>
<div>
<p><u></u> <u></u></p>
</div>
<div>
<p>Thanks,<u></u><u></u></p>
</div>
<div>
<p>Brian Meade<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
</blockquote></div><br></div></div></div></div></div></div> </div></div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>